1 // SPDX-License-Identifier: GPL-2.0 2 3 //! String representations. 4 5 use crate::{ 6 alloc::{flags::*, AllocError, KVec}, 7 error::{to_result, Result}, 8 fmt::{self, Write}, 9 prelude::*, 10 }; 11 use core::{ 12 marker::PhantomData, 13 ops::{Deref, DerefMut, Index}, 14 }; 15 16 pub use crate::prelude::CStr; 17 18 /// Byte string without UTF-8 validity guarantee. 19 #[repr(transparent)] 20 pub struct BStr([u8]); 21 22 impl BStr { 23 /// Returns the length of this string. 24 #[inline] 25 pub const fn len(&self) -> usize { 26 self.0.len() 27 } 28 29 /// Returns `true` if the string is empty. 30 #[inline] 31 pub const fn is_empty(&self) -> bool { 32 self.len() == 0 33 } 34 35 /// Creates a [`BStr`] from a `[u8]`. 36 #[inline] 37 pub const fn from_bytes(bytes: &[u8]) -> &Self { 38 // SAFETY: `BStr` is transparent to `[u8]`. 39 unsafe { &*(core::ptr::from_ref(bytes) as *const BStr) } 40 } 41 42 /// Strip a prefix from `self`. Delegates to [`slice::strip_prefix`]. 43 /// 44 /// # Examples 45 /// 46 /// ``` 47 /// # use kernel::b_str; 48 /// assert_eq!(Some(b_str!("bar")), b_str!("foobar").strip_prefix(b_str!("foo"))); 49 /// assert_eq!(None, b_str!("foobar").strip_prefix(b_str!("bar"))); 50 /// assert_eq!(Some(b_str!("foobar")), b_str!("foobar").strip_prefix(b_str!(""))); 51 /// assert_eq!(Some(b_str!("")), b_str!("foobar").strip_prefix(b_str!("foobar"))); 52 /// ``` 53 pub fn strip_prefix(&self, pattern: impl AsRef<Self>) -> Option<&BStr> { 54 self.deref() 55 .strip_prefix(pattern.as_ref().deref()) 56 .map(Self::from_bytes) 57 } 58 } 59 60 impl fmt::Display for BStr { 61 /// Formats printable ASCII characters, escaping the rest. 62 /// 63 /// ``` 64 /// # use kernel::{prelude::fmt, b_str, str::{BStr, CString}}; 65 /// let ascii = b_str!("Hello, BStr!"); 66 /// let s = CString::try_from_fmt(fmt!("{ascii}"))?; 67 /// assert_eq!(s.to_bytes(), "Hello, BStr!".as_bytes()); 68 /// 69 /// let non_ascii = b_str!("��"); 70 /// let s = CString::try_from_fmt(fmt!("{non_ascii}"))?; 71 /// assert_eq!(s.to_bytes(), "\\xf0\\x9f\\xa6\\x80".as_bytes()); 72 /// # Ok::<(), kernel::error::Error>(()) 73 /// ``` 74 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 75 for &b in &self.0 { 76 match b { 77 // Common escape codes. 78 b'\t' => f.write_str("\\t")?, 79 b'\n' => f.write_str("\\n")?, 80 b'\r' => f.write_str("\\r")?, 81 // Printable characters. 82 0x20..=0x7e => f.write_char(b as char)?, 83 _ => write!(f, "\\x{b:02x}")?, 84 } 85 } 86 Ok(()) 87 } 88 } 89 90 impl fmt::Debug for BStr { 91 /// Formats printable ASCII characters with a double quote on either end, 92 /// escaping the rest. 93 /// 94 /// ``` 95 /// # use kernel::{prelude::fmt, b_str, str::{BStr, CString}}; 96 /// // Embedded double quotes are escaped. 97 /// let ascii = b_str!("Hello, \"BStr\"!"); 98 /// let s = CString::try_from_fmt(fmt!("{ascii:?}"))?; 99 /// assert_eq!(s.to_bytes(), "\"Hello, \\\"BStr\\\"!\"".as_bytes()); 100 /// 101 /// let non_ascii = b_str!("��"); 102 /// let s = CString::try_from_fmt(fmt!("{non_ascii:?}"))?; 103 /// assert_eq!(s.to_bytes(), "\"\\xf0\\x9f\\x98\\xba\"".as_bytes()); 104 /// # Ok::<(), kernel::error::Error>(()) 105 /// ``` 106 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 107 f.write_char('"')?; 108 for &b in &self.0 { 109 match b { 110 // Common escape codes. 111 b'\t' => f.write_str("\\t")?, 112 b'\n' => f.write_str("\\n")?, 113 b'\r' => f.write_str("\\r")?, 114 // String escape characters. 115 b'\"' => f.write_str("\\\"")?, 116 b'\\' => f.write_str("\\\\")?, 117 // Printable characters. 118 0x20..=0x7e => f.write_char(b as char)?, 119 _ => write!(f, "\\x{b:02x}")?, 120 } 121 } 122 f.write_char('"') 123 } 124 } 125 126 impl Deref for BStr { 127 type Target = [u8]; 128 129 #[inline] 130 fn deref(&self) -> &Self::Target { 131 &self.0 132 } 133 } 134 135 impl PartialEq for BStr { 136 fn eq(&self, other: &Self) -> bool { 137 self.deref().eq(other.deref()) 138 } 139 } 140 141 impl<Idx> Index<Idx> for BStr 142 where 143 [u8]: Index<Idx, Output = [u8]>, 144 { 145 type Output = Self; 146 147 fn index(&self, index: Idx) -> &Self::Output { 148 BStr::from_bytes(&self.0[index]) 149 } 150 } 151 152 impl AsRef<BStr> for [u8] { 153 fn as_ref(&self) -> &BStr { 154 BStr::from_bytes(self) 155 } 156 } 157 158 impl AsRef<BStr> for BStr { 159 fn as_ref(&self) -> &BStr { 160 self 161 } 162 } 163 164 /// Creates a new [`BStr`] from a string literal. 165 /// 166 /// `b_str!` converts the supplied string literal to byte string, so non-ASCII 167 /// characters can be included. 168 /// 169 /// # Examples 170 /// 171 /// ``` 172 /// # use kernel::b_str; 173 /// # use kernel::str::BStr; 174 /// const MY_BSTR: &BStr = b_str!("My awesome BStr!"); 175 /// ``` 176 #[macro_export] 177 macro_rules! b_str { 178 ($str:literal) => {{ 179 const S: &'static str = $str; 180 const C: &'static $crate::str::BStr = $crate::str::BStr::from_bytes(S.as_bytes()); 181 C 182 }}; 183 } 184 185 /// Returns a C pointer to the string. 186 // It is a free function rather than a method on an extension trait because: 187 // 188 // - error[E0379]: functions in trait impls cannot be declared const 189 #[inline] 190 pub const fn as_char_ptr_in_const_context(c_str: &CStr) -> *const c_char { 191 c_str.as_ptr().cast() 192 } 193 194 mod private { 195 pub trait Sealed {} 196 197 impl Sealed for super::CStr {} 198 } 199 200 /// Extensions to [`CStr`]. 201 pub trait CStrExt: private::Sealed { 202 /// Wraps a raw C string pointer. 203 /// 204 /// # Safety 205 /// 206 /// `ptr` must be a valid pointer to a `NUL`-terminated C string, and it must 207 /// last at least `'a`. When `CStr` is alive, the memory pointed by `ptr` 208 /// must not be mutated. 209 // This function exists to paper over the fact that `CStr::from_ptr` takes a `*const 210 // core::ffi::c_char` rather than a `*const crate::ffi::c_char`. 211 unsafe fn from_char_ptr<'a>(ptr: *const c_char) -> &'a Self; 212 213 /// Creates a mutable [`CStr`] from a `[u8]` without performing any 214 /// additional checks. 215 /// 216 /// # Safety 217 /// 218 /// `bytes` *must* end with a `NUL` byte, and should only have a single 219 /// `NUL` byte (or the string will be truncated). 220 unsafe fn from_bytes_with_nul_unchecked_mut(bytes: &mut [u8]) -> &mut Self; 221 222 /// Returns a C pointer to the string. 223 // This function exists to paper over the fact that `CStr::as_ptr` returns a `*const 224 // core::ffi::c_char` rather than a `*const crate::ffi::c_char`. 225 fn as_char_ptr(&self) -> *const c_char; 226 227 /// Convert this [`CStr`] into a [`CString`] by allocating memory and 228 /// copying over the string data. 229 fn to_cstring(&self) -> Result<CString, AllocError>; 230 231 /// Converts this [`CStr`] to its ASCII lower case equivalent in-place. 232 /// 233 /// ASCII letters 'A' to 'Z' are mapped to 'a' to 'z', 234 /// but non-ASCII letters are unchanged. 235 /// 236 /// To return a new lowercased value without modifying the existing one, use 237 /// [`to_ascii_lowercase()`]. 238 /// 239 /// [`to_ascii_lowercase()`]: #method.to_ascii_lowercase 240 fn make_ascii_lowercase(&mut self); 241 242 /// Converts this [`CStr`] to its ASCII upper case equivalent in-place. 243 /// 244 /// ASCII letters 'a' to 'z' are mapped to 'A' to 'Z', 245 /// but non-ASCII letters are unchanged. 246 /// 247 /// To return a new uppercased value without modifying the existing one, use 248 /// [`to_ascii_uppercase()`]. 249 /// 250 /// [`to_ascii_uppercase()`]: #method.to_ascii_uppercase 251 fn make_ascii_uppercase(&mut self); 252 253 /// Returns a copy of this [`CString`] where each character is mapped to its 254 /// ASCII lower case equivalent. 255 /// 256 /// ASCII letters 'A' to 'Z' are mapped to 'a' to 'z', 257 /// but non-ASCII letters are unchanged. 258 /// 259 /// To lowercase the value in-place, use [`make_ascii_lowercase`]. 260 /// 261 /// [`make_ascii_lowercase`]: str::make_ascii_lowercase 262 fn to_ascii_lowercase(&self) -> Result<CString, AllocError>; 263 264 /// Returns a copy of this [`CString`] where each character is mapped to its 265 /// ASCII upper case equivalent. 266 /// 267 /// ASCII letters 'a' to 'z' are mapped to 'A' to 'Z', 268 /// but non-ASCII letters are unchanged. 269 /// 270 /// To uppercase the value in-place, use [`make_ascii_uppercase`]. 271 /// 272 /// [`make_ascii_uppercase`]: str::make_ascii_uppercase 273 fn to_ascii_uppercase(&self) -> Result<CString, AllocError>; 274 } 275 276 impl fmt::Display for CStr { 277 /// Formats printable ASCII characters, escaping the rest. 278 /// 279 /// ``` 280 /// # use kernel::c_str; 281 /// # use kernel::prelude::fmt; 282 /// # use kernel::str::CStr; 283 /// # use kernel::str::CString; 284 /// let penguin = c_str!("��"); 285 /// let s = CString::try_from_fmt(fmt!("{penguin}"))?; 286 /// assert_eq!(s.to_bytes_with_nul(), "\\xf0\\x9f\\x90\\xa7\0".as_bytes()); 287 /// 288 /// let ascii = c_str!("so \"cool\""); 289 /// let s = CString::try_from_fmt(fmt!("{ascii}"))?; 290 /// assert_eq!(s.to_bytes_with_nul(), "so \"cool\"\0".as_bytes()); 291 /// # Ok::<(), kernel::error::Error>(()) 292 /// ``` 293 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 294 for &c in self.to_bytes() { 295 if (0x20..0x7f).contains(&c) { 296 // Printable character. 297 f.write_char(c as char)?; 298 } else { 299 write!(f, "\\x{c:02x}")?; 300 } 301 } 302 Ok(()) 303 } 304 } 305 306 /// Converts a mutable C string to a mutable byte slice. 307 /// 308 /// # Safety 309 /// 310 /// The caller must ensure that the slice ends in a NUL byte and contains no other NUL bytes before 311 /// the borrow ends and the underlying [`CStr`] is used. 312 unsafe fn to_bytes_mut(s: &mut CStr) -> &mut [u8] { 313 // SAFETY: the cast from `&CStr` to `&[u8]` is safe since `CStr` has the same layout as `&[u8]` 314 // (this is technically not guaranteed, but we rely on it here). The pointer dereference is 315 // safe since it comes from a mutable reference which is guaranteed to be valid for writes. 316 unsafe { &mut *(core::ptr::from_mut(s) as *mut [u8]) } 317 } 318 319 impl CStrExt for CStr { 320 #[inline] 321 unsafe fn from_char_ptr<'a>(ptr: *const c_char) -> &'a Self { 322 // SAFETY: The safety preconditions are the same as for `CStr::from_ptr`. 323 unsafe { CStr::from_ptr(ptr.cast()) } 324 } 325 326 #[inline] 327 unsafe fn from_bytes_with_nul_unchecked_mut(bytes: &mut [u8]) -> &mut Self { 328 // SAFETY: the cast from `&[u8]` to `&CStr` is safe since the properties of `bytes` are 329 // guaranteed by the safety precondition and `CStr` has the same layout as `&[u8]` (this is 330 // technically not guaranteed, but we rely on it here). The pointer dereference is safe 331 // since it comes from a mutable reference which is guaranteed to be valid for writes. 332 unsafe { &mut *(core::ptr::from_mut(bytes) as *mut CStr) } 333 } 334 335 #[inline] 336 fn as_char_ptr(&self) -> *const c_char { 337 self.as_ptr().cast() 338 } 339 340 fn to_cstring(&self) -> Result<CString, AllocError> { 341 CString::try_from(self) 342 } 343 344 fn make_ascii_lowercase(&mut self) { 345 // SAFETY: This doesn't introduce or remove NUL bytes in the C string. 346 unsafe { to_bytes_mut(self) }.make_ascii_lowercase(); 347 } 348 349 fn make_ascii_uppercase(&mut self) { 350 // SAFETY: This doesn't introduce or remove NUL bytes in the C string. 351 unsafe { to_bytes_mut(self) }.make_ascii_uppercase(); 352 } 353 354 fn to_ascii_lowercase(&self) -> Result<CString, AllocError> { 355 let mut s = self.to_cstring()?; 356 357 s.make_ascii_lowercase(); 358 359 Ok(s) 360 } 361 362 fn to_ascii_uppercase(&self) -> Result<CString, AllocError> { 363 let mut s = self.to_cstring()?; 364 365 s.make_ascii_uppercase(); 366 367 Ok(s) 368 } 369 } 370 371 impl AsRef<BStr> for CStr { 372 #[inline] 373 fn as_ref(&self) -> &BStr { 374 BStr::from_bytes(self.to_bytes()) 375 } 376 } 377 378 /// Creates a new [`CStr`] from a string literal. 379 /// 380 /// The string literal should not contain any `NUL` bytes. 381 /// 382 /// # Examples 383 /// 384 /// ``` 385 /// # use kernel::c_str; 386 /// # use kernel::str::CStr; 387 /// const MY_CSTR: &CStr = c_str!("My awesome CStr!"); 388 /// ``` 389 #[macro_export] 390 macro_rules! c_str { 391 ($str:expr) => {{ 392 const S: &str = concat!($str, "\0"); 393 const C: &$crate::str::CStr = match $crate::str::CStr::from_bytes_with_nul(S.as_bytes()) { 394 Ok(v) => v, 395 Err(_) => panic!("string contains interior NUL"), 396 }; 397 C 398 }}; 399 } 400 401 #[kunit_tests(rust_kernel_str)] 402 mod tests { 403 use super::*; 404 405 impl From<core::ffi::FromBytesWithNulError> for Error { 406 #[inline] 407 fn from(_: core::ffi::FromBytesWithNulError) -> Error { 408 EINVAL 409 } 410 } 411 412 macro_rules! format { 413 ($($f:tt)*) => ({ 414 CString::try_from_fmt(fmt!($($f)*))?.to_str()? 415 }) 416 } 417 418 const ALL_ASCII_CHARS: &str = 419 "\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\ 420 \\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f \ 421 !\"#$%&'()*+,-./0123456789:;<=>?@\ 422 ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\\x7f\ 423 \\x80\\x81\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8d\\x8e\\x8f\ 424 \\x90\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9d\\x9e\\x9f\ 425 \\xa0\\xa1\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xab\\xac\\xad\\xae\\xaf\ 426 \\xb0\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\ 427 \\xc0\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\xce\\xcf\ 428 \\xd0\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xdb\\xdc\\xdd\\xde\\xdf\ 429 \\xe0\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xeb\\xec\\xed\\xee\\xef\ 430 \\xf0\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff"; 431 432 #[test] 433 fn test_cstr_to_str() -> Result { 434 let cstr = c"\xf0\x9f\xa6\x80"; 435 let checked_str = cstr.to_str()?; 436 assert_eq!(checked_str, "��"); 437 Ok(()) 438 } 439 440 #[test] 441 fn test_cstr_to_str_invalid_utf8() -> Result { 442 let cstr = c"\xc3\x28"; 443 assert!(cstr.to_str().is_err()); 444 Ok(()) 445 } 446 447 #[test] 448 fn test_cstr_display() -> Result { 449 let hello_world = c"hello, world!"; 450 assert_eq!(format!("{hello_world}"), "hello, world!"); 451 let non_printables = c"\x01\x09\x0a"; 452 assert_eq!(format!("{non_printables}"), "\\x01\\x09\\x0a"); 453 let non_ascii = c"d\xe9j\xe0 vu"; 454 assert_eq!(format!("{non_ascii}"), "d\\xe9j\\xe0 vu"); 455 let good_bytes = c"\xf0\x9f\xa6\x80"; 456 assert_eq!(format!("{good_bytes}"), "\\xf0\\x9f\\xa6\\x80"); 457 Ok(()) 458 } 459 460 #[test] 461 fn test_cstr_display_all_bytes() -> Result { 462 let mut bytes: [u8; 256] = [0; 256]; 463 // fill `bytes` with [1..=255] + [0] 464 for i in u8::MIN..=u8::MAX { 465 bytes[i as usize] = i.wrapping_add(1); 466 } 467 let cstr = CStr::from_bytes_with_nul(&bytes)?; 468 assert_eq!(format!("{cstr}"), ALL_ASCII_CHARS); 469 Ok(()) 470 } 471 472 #[test] 473 fn test_cstr_debug() -> Result { 474 let hello_world = c"hello, world!"; 475 assert_eq!(format!("{hello_world:?}"), "\"hello, world!\""); 476 let non_printables = c"\x01\x09\x0a"; 477 assert_eq!(format!("{non_printables:?}"), "\"\\x01\\t\\n\""); 478 let non_ascii = c"d\xe9j\xe0 vu"; 479 assert_eq!(format!("{non_ascii:?}"), "\"d\\xe9j\\xe0 vu\""); 480 Ok(()) 481 } 482 483 #[test] 484 fn test_bstr_display() -> Result { 485 let hello_world = BStr::from_bytes(b"hello, world!"); 486 assert_eq!(format!("{hello_world}"), "hello, world!"); 487 let escapes = BStr::from_bytes(b"_\t_\n_\r_\\_\'_\"_"); 488 assert_eq!(format!("{escapes}"), "_\\t_\\n_\\r_\\_'_\"_"); 489 let others = BStr::from_bytes(b"\x01"); 490 assert_eq!(format!("{others}"), "\\x01"); 491 let non_ascii = BStr::from_bytes(b"d\xe9j\xe0 vu"); 492 assert_eq!(format!("{non_ascii}"), "d\\xe9j\\xe0 vu"); 493 let good_bytes = BStr::from_bytes(b"\xf0\x9f\xa6\x80"); 494 assert_eq!(format!("{good_bytes}"), "\\xf0\\x9f\\xa6\\x80"); 495 Ok(()) 496 } 497 498 #[test] 499 fn test_bstr_debug() -> Result { 500 let hello_world = BStr::from_bytes(b"hello, world!"); 501 assert_eq!(format!("{hello_world:?}"), "\"hello, world!\""); 502 let escapes = BStr::from_bytes(b"_\t_\n_\r_\\_\'_\"_"); 503 assert_eq!(format!("{escapes:?}"), "\"_\\t_\\n_\\r_\\\\_'_\\\"_\""); 504 let others = BStr::from_bytes(b"\x01"); 505 assert_eq!(format!("{others:?}"), "\"\\x01\""); 506 let non_ascii = BStr::from_bytes(b"d\xe9j\xe0 vu"); 507 assert_eq!(format!("{non_ascii:?}"), "\"d\\xe9j\\xe0 vu\""); 508 let good_bytes = BStr::from_bytes(b"\xf0\x9f\xa6\x80"); 509 assert_eq!(format!("{good_bytes:?}"), "\"\\xf0\\x9f\\xa6\\x80\""); 510 Ok(()) 511 } 512 } 513 514 /// Allows formatting of [`fmt::Arguments`] into a raw buffer. 515 /// 516 /// It does not fail if callers write past the end of the buffer so that they can calculate the 517 /// size required to fit everything. 518 /// 519 /// # Invariants 520 /// 521 /// The memory region between `pos` (inclusive) and `end` (exclusive) is valid for writes if `pos` 522 /// is less than `end`. 523 pub struct RawFormatter { 524 // Use `usize` to use `saturating_*` functions. 525 beg: usize, 526 pos: usize, 527 end: usize, 528 } 529 530 impl RawFormatter { 531 /// Creates a new instance of [`RawFormatter`] with an empty buffer. 532 fn new() -> Self { 533 // INVARIANT: The buffer is empty, so the region that needs to be writable is empty. 534 Self { 535 beg: 0, 536 pos: 0, 537 end: 0, 538 } 539 } 540 541 /// Creates a new instance of [`RawFormatter`] with the given buffer pointers. 542 /// 543 /// # Safety 544 /// 545 /// If `pos` is less than `end`, then the region between `pos` (inclusive) and `end` 546 /// (exclusive) must be valid for writes for the lifetime of the returned [`RawFormatter`]. 547 pub(crate) unsafe fn from_ptrs(pos: *mut u8, end: *mut u8) -> Self { 548 // INVARIANT: The safety requirements guarantee the type invariants. 549 Self { 550 beg: pos as usize, 551 pos: pos as usize, 552 end: end as usize, 553 } 554 } 555 556 /// Creates a new instance of [`RawFormatter`] with the given buffer. 557 /// 558 /// # Safety 559 /// 560 /// The memory region starting at `buf` and extending for `len` bytes must be valid for writes 561 /// for the lifetime of the returned [`RawFormatter`]. 562 pub(crate) unsafe fn from_buffer(buf: *mut u8, len: usize) -> Self { 563 let pos = buf as usize; 564 // INVARIANT: We ensure that `end` is never less than `buf`, and the safety requirements 565 // guarantees that the memory region is valid for writes. 566 Self { 567 pos, 568 beg: pos, 569 end: pos.saturating_add(len), 570 } 571 } 572 573 /// Returns the current insert position. 574 /// 575 /// N.B. It may point to invalid memory. 576 pub(crate) fn pos(&self) -> *mut u8 { 577 self.pos as *mut u8 578 } 579 580 /// Returns the number of bytes written to the formatter. 581 pub fn bytes_written(&self) -> usize { 582 self.pos - self.beg 583 } 584 } 585 586 impl fmt::Write for RawFormatter { 587 fn write_str(&mut self, s: &str) -> fmt::Result { 588 // `pos` value after writing `len` bytes. This does not have to be bounded by `end`, but we 589 // don't want it to wrap around to 0. 590 let pos_new = self.pos.saturating_add(s.len()); 591 592 // Amount that we can copy. `saturating_sub` ensures we get 0 if `pos` goes past `end`. 593 let len_to_copy = core::cmp::min(pos_new, self.end).saturating_sub(self.pos); 594 595 if len_to_copy > 0 { 596 // SAFETY: If `len_to_copy` is non-zero, then we know `pos` has not gone past `end` 597 // yet, so it is valid for write per the type invariants. 598 unsafe { 599 core::ptr::copy_nonoverlapping( 600 s.as_bytes().as_ptr(), 601 self.pos as *mut u8, 602 len_to_copy, 603 ) 604 }; 605 } 606 607 self.pos = pos_new; 608 Ok(()) 609 } 610 } 611 612 /// Allows formatting of [`fmt::Arguments`] into a raw buffer. 613 /// 614 /// Fails if callers attempt to write more than will fit in the buffer. 615 pub struct Formatter<'a>(RawFormatter, PhantomData<&'a mut ()>); 616 617 impl Formatter<'_> { 618 /// Creates a new instance of [`Formatter`] with the given buffer. 619 /// 620 /// # Safety 621 /// 622 /// The memory region starting at `buf` and extending for `len` bytes must be valid for writes 623 /// for the lifetime of the returned [`Formatter`]. 624 pub(crate) unsafe fn from_buffer(buf: *mut u8, len: usize) -> Self { 625 // SAFETY: The safety requirements of this function satisfy those of the callee. 626 Self(unsafe { RawFormatter::from_buffer(buf, len) }, PhantomData) 627 } 628 629 /// Create a new [`Self`] instance. 630 pub fn new(buffer: &mut [u8]) -> Self { 631 // SAFETY: `buffer` is valid for writes for the entire length for 632 // the lifetime of `Self`. 633 unsafe { Formatter::from_buffer(buffer.as_mut_ptr(), buffer.len()) } 634 } 635 } 636 637 impl Deref for Formatter<'_> { 638 type Target = RawFormatter; 639 640 fn deref(&self) -> &Self::Target { 641 &self.0 642 } 643 } 644 645 impl fmt::Write for Formatter<'_> { 646 fn write_str(&mut self, s: &str) -> fmt::Result { 647 self.0.write_str(s)?; 648 649 // Fail the request if we go past the end of the buffer. 650 if self.0.pos > self.0.end { 651 Err(fmt::Error) 652 } else { 653 Ok(()) 654 } 655 } 656 } 657 658 /// A mutable reference to a byte buffer where a string can be written into. 659 /// 660 /// The buffer will be automatically null terminated after the last written character. 661 /// 662 /// # Invariants 663 /// 664 /// * The first byte of `buffer` is always zero. 665 /// * The length of `buffer` is at least 1. 666 pub(crate) struct NullTerminatedFormatter<'a> { 667 buffer: &'a mut [u8], 668 } 669 670 impl<'a> NullTerminatedFormatter<'a> { 671 /// Create a new [`Self`] instance. 672 pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> { 673 *(buffer.first_mut()?) = 0; 674 675 // INVARIANT: 676 // - We wrote zero to the first byte above. 677 // - If buffer was not at least length 1, `buffer.first_mut()` would return None. 678 Some(Self { buffer }) 679 } 680 } 681 682 impl Write for NullTerminatedFormatter<'_> { 683 fn write_str(&mut self, s: &str) -> fmt::Result { 684 let bytes = s.as_bytes(); 685 let len = bytes.len(); 686 687 // We want space for a zero. By type invariant, buffer length is always at least 1, so no 688 // underflow. 689 if len > self.buffer.len() - 1 { 690 return Err(fmt::Error); 691 } 692 693 let buffer = core::mem::take(&mut self.buffer); 694 // We break the zero start invariant for a short while. 695 buffer[..len].copy_from_slice(bytes); 696 // INVARIANT: We checked above that buffer will have size at least 1 after this assignment. 697 self.buffer = &mut buffer[len..]; 698 699 // INVARIANT: We write zero to the first byte of the buffer. 700 self.buffer[0] = 0; 701 702 Ok(()) 703 } 704 } 705 706 /// # Safety 707 /// 708 /// - `string` must point to a null terminated string that is valid for read. 709 unsafe fn kstrtobool_raw(string: *const u8) -> Result<bool> { 710 let mut result: bool = false; 711 712 // SAFETY: 713 // - By function safety requirement, `string` is a valid null-terminated string. 714 // - `result` is a valid `bool` that we own. 715 to_result(unsafe { bindings::kstrtobool(string, &mut result) })?; 716 Ok(result) 717 } 718 719 /// Convert common user inputs into boolean values using the kernel's `kstrtobool` function. 720 /// 721 /// This routine returns `Ok(bool)` if the first character is one of 'YyTt1NnFf0', or 722 /// \[oO\]\[NnFf\] for "on" and "off". Otherwise it will return `Err(EINVAL)`. 723 /// 724 /// # Examples 725 /// 726 /// ``` 727 /// # use kernel::{c_str, str::kstrtobool}; 728 /// 729 /// // Lowercase 730 /// assert_eq!(kstrtobool(c_str!("true")), Ok(true)); 731 /// assert_eq!(kstrtobool(c_str!("tr")), Ok(true)); 732 /// assert_eq!(kstrtobool(c_str!("t")), Ok(true)); 733 /// assert_eq!(kstrtobool(c_str!("twrong")), Ok(true)); 734 /// assert_eq!(kstrtobool(c_str!("false")), Ok(false)); 735 /// assert_eq!(kstrtobool(c_str!("f")), Ok(false)); 736 /// assert_eq!(kstrtobool(c_str!("yes")), Ok(true)); 737 /// assert_eq!(kstrtobool(c_str!("no")), Ok(false)); 738 /// assert_eq!(kstrtobool(c_str!("on")), Ok(true)); 739 /// assert_eq!(kstrtobool(c_str!("off")), Ok(false)); 740 /// 741 /// // Camel case 742 /// assert_eq!(kstrtobool(c_str!("True")), Ok(true)); 743 /// assert_eq!(kstrtobool(c_str!("False")), Ok(false)); 744 /// assert_eq!(kstrtobool(c_str!("Yes")), Ok(true)); 745 /// assert_eq!(kstrtobool(c_str!("No")), Ok(false)); 746 /// assert_eq!(kstrtobool(c_str!("On")), Ok(true)); 747 /// assert_eq!(kstrtobool(c_str!("Off")), Ok(false)); 748 /// 749 /// // All caps 750 /// assert_eq!(kstrtobool(c_str!("TRUE")), Ok(true)); 751 /// assert_eq!(kstrtobool(c_str!("FALSE")), Ok(false)); 752 /// assert_eq!(kstrtobool(c_str!("YES")), Ok(true)); 753 /// assert_eq!(kstrtobool(c_str!("NO")), Ok(false)); 754 /// assert_eq!(kstrtobool(c_str!("ON")), Ok(true)); 755 /// assert_eq!(kstrtobool(c_str!("OFF")), Ok(false)); 756 /// 757 /// // Numeric 758 /// assert_eq!(kstrtobool(c_str!("1")), Ok(true)); 759 /// assert_eq!(kstrtobool(c_str!("0")), Ok(false)); 760 /// 761 /// // Invalid input 762 /// assert_eq!(kstrtobool(c_str!("invalid")), Err(EINVAL)); 763 /// assert_eq!(kstrtobool(c_str!("2")), Err(EINVAL)); 764 /// ``` 765 pub fn kstrtobool(string: &CStr) -> Result<bool> { 766 // SAFETY: 767 // - The pointer returned by `CStr::as_char_ptr` is guaranteed to be 768 // null terminated. 769 // - `string` is live and thus the string is valid for read. 770 unsafe { kstrtobool_raw(string.as_char_ptr()) } 771 } 772 773 /// Convert `&[u8]` to `bool` by deferring to [`kernel::str::kstrtobool`]. 774 /// 775 /// Only considers at most the first two bytes of `bytes`. 776 pub fn kstrtobool_bytes(bytes: &[u8]) -> Result<bool> { 777 // `ktostrbool` only considers the first two bytes of the input. 778 let stack_string = [*bytes.first().unwrap_or(&0), *bytes.get(1).unwrap_or(&0), 0]; 779 // SAFETY: `stack_string` is null terminated and it is live on the stack so 780 // it is valid for read. 781 unsafe { kstrtobool_raw(stack_string.as_ptr()) } 782 } 783 784 /// An owned string that is guaranteed to have exactly one `NUL` byte, which is at the end. 785 /// 786 /// Used for interoperability with kernel APIs that take C strings. 787 /// 788 /// # Invariants 789 /// 790 /// The string is always `NUL`-terminated and contains no other `NUL` bytes. 791 /// 792 /// # Examples 793 /// 794 /// ``` 795 /// use kernel::{str::CString, prelude::fmt}; 796 /// 797 /// let s = CString::try_from_fmt(fmt!("{}{}{}", "abc", 10, 20))?; 798 /// assert_eq!(s.to_bytes_with_nul(), "abc1020\0".as_bytes()); 799 /// 800 /// let tmp = "testing"; 801 /// let s = CString::try_from_fmt(fmt!("{tmp}{}", 123))?; 802 /// assert_eq!(s.to_bytes_with_nul(), "testing123\0".as_bytes()); 803 /// 804 /// // This fails because it has an embedded `NUL` byte. 805 /// let s = CString::try_from_fmt(fmt!("a\0b{}", 123)); 806 /// assert_eq!(s.is_ok(), false); 807 /// # Ok::<(), kernel::error::Error>(()) 808 /// ``` 809 pub struct CString { 810 buf: KVec<u8>, 811 } 812 813 impl CString { 814 /// Creates an instance of [`CString`] from the given formatted arguments. 815 pub fn try_from_fmt(args: fmt::Arguments<'_>) -> Result<Self, Error> { 816 // Calculate the size needed (formatted string plus `NUL` terminator). 817 let mut f = RawFormatter::new(); 818 f.write_fmt(args)?; 819 f.write_str("\0")?; 820 let size = f.bytes_written(); 821 822 // Allocate a vector with the required number of bytes, and write to it. 823 let mut buf = KVec::with_capacity(size, GFP_KERNEL)?; 824 // SAFETY: The buffer stored in `buf` is at least of size `size` and is valid for writes. 825 let mut f = unsafe { Formatter::from_buffer(buf.as_mut_ptr(), size) }; 826 f.write_fmt(args)?; 827 f.write_str("\0")?; 828 829 // SAFETY: The number of bytes that can be written to `f` is bounded by `size`, which is 830 // `buf`'s capacity. The contents of the buffer have been initialised by writes to `f`. 831 unsafe { buf.inc_len(f.bytes_written()) }; 832 833 // Check that there are no `NUL` bytes before the end. 834 // SAFETY: The buffer is valid for read because `f.bytes_written()` is bounded by `size` 835 // (which the minimum buffer size) and is non-zero (we wrote at least the `NUL` terminator) 836 // so `f.bytes_written() - 1` doesn't underflow. 837 let ptr = unsafe { bindings::memchr(buf.as_ptr().cast(), 0, f.bytes_written() - 1) }; 838 if !ptr.is_null() { 839 return Err(EINVAL); 840 } 841 842 // INVARIANT: We wrote the `NUL` terminator and checked above that no other `NUL` bytes 843 // exist in the buffer. 844 Ok(Self { buf }) 845 } 846 } 847 848 impl Deref for CString { 849 type Target = CStr; 850 851 fn deref(&self) -> &Self::Target { 852 // SAFETY: The type invariants guarantee that the string is `NUL`-terminated and that no 853 // other `NUL` bytes exist. 854 unsafe { CStr::from_bytes_with_nul_unchecked(self.buf.as_slice()) } 855 } 856 } 857 858 impl DerefMut for CString { 859 fn deref_mut(&mut self) -> &mut Self::Target { 860 // SAFETY: A `CString` is always NUL-terminated and contains no other 861 // NUL bytes. 862 unsafe { CStr::from_bytes_with_nul_unchecked_mut(self.buf.as_mut_slice()) } 863 } 864 } 865 866 impl<'a> TryFrom<&'a CStr> for CString { 867 type Error = AllocError; 868 869 fn try_from(cstr: &'a CStr) -> Result<CString, AllocError> { 870 let mut buf = KVec::new(); 871 872 buf.extend_from_slice(cstr.to_bytes_with_nul(), GFP_KERNEL)?; 873 874 // INVARIANT: The `CStr` and `CString` types have the same invariants for 875 // the string data, and we copied it over without changes. 876 Ok(CString { buf }) 877 } 878 } 879 880 impl fmt::Debug for CString { 881 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 882 fmt::Debug::fmt(&**self, f) 883 } 884 } 885